memcached policy
Dominick Grift
domg472 at gmail.com
Tue Jun 30 08:04:40 UTC 2009
On Mon, 2009-06-29 at 20:49 -0700, Vadym Chepkov wrote:
> It seems selinux memcache module has bugs in it or do I miss some boolean?
> I seriously doubt about first one.
>
> memcached-selinux-1.2.8-1.fc11.i586
>
> type=AVC msg=audit(1246327827.194:59): avc: denied { write } for pid=2559 comm="memcached" name="memcached.pid" dev=dm-3 ino=699 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:memcached_var_run_t:s0 tclass=file
>
> type=AVC msg=audit(1246332806.070:95): avc: denied { write } for pid=3780 comm="memcached" scontext=unconfined_u:system_r:memcached_t:s0 tcontext=unconfined_u:system_r:memcached_t:s0 tclass=netlink_route_socket
>
> type=AVC msg=audit(1246332806.070:97): avc: denied { name_bind } for pid=3780 comm="memcached" src=11211 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
>
> type=AVC msg=audit(1246332806.071:98): avc: denied { name_bind } for pid=3780 comm="memcached" src=11211 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=udp_socket
>
> Sincerely yours,
> Vadym Chepkov
This is what audit2why says here:
[root at notebook2 Desktop]# echo "type=AVC msg=audit(1246327827.194:59): avc: denied { write } for pid=2559 comm="memcached" name="memcached.pid" dev=dm-3 ino=699 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:memcached_var_run_t:s0 tclass=file" | audit2why
type=AVC msg=audit(1246327827.194:59): avc: denied { write } for pid=2559 comm=memcached name=memcached.pid dev=dm-3 ino=699 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:memcached_var_run_t:s0 tclass=file
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
This is my version of selinux policy:
[root at notebook2 Desktop]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.6.12-61.fc11.noarch
selinux-policy-3.6.12-61.fc11.noarch
This is what sesearch says here:
[root at notebook2 Desktop]# sesearch --allow -s memcached_t -t memcache_port_t
Found 2 semantic av rules:
allow memcached_t memcache_port_t : tcp_socket name_bind ;
allow memcached_t memcache_port_t : udp_socket name_bind ;
Conslusion:
This access is allowed in 3.6.12-61. You can get it from
koji.fedoraproject.org/koji
Also have a look at this:
http://danwalsh.livejournal.com/29463.html
Hth,
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090630/ba649a0e/attachment.sig>
More information about the fedora-selinux-list
mailing list